Web Application Vulnerability Scanning

Web applications, while extremely useful, are a major threat vector for all organizations. A study by nCircle found that there was a 154% increase from 2007 to 2008 in web application vulnerabilities and that number was expected to continue to grow by 25% in 2009.

The IT Security Services group performs web application vulnerability scans against web applications before they are placed in production. These scans are performed against internally developed applications or hosted applications before "go-live" to help identify and resolve any major vulnerabilities that exist. The scans can take one day or up to a month to complete depending on the complexity and size of the application.

The scan will check for high risks such as SQL Injection, information leakage, and Cross-Site Scripting vulnerabilities. A high level summary report and a detailed report are provided after the scans are completed. The summary report provides a high-level description of the issues found and their possible causes, while the detailed report provides all that is included in the summary report with more detail and remediation recommendations for each vulnerability found. Typically unauthenticated and authenticated scans are performed against the web application.

For further information regarding web application security please see the Open Web Application Security Project (OWASP) web page located at owasp.org.

To request a scan please submit requests via Risque (IT Security - WebApp Security Scan). If you have never logged into Risque, then you will need to set up your Risque client profile (WebApp Security Scan will automatically be checked). If you have any questions please send an email to itap-securityhelp@purdue.edu.